
server {
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;

    listen              {{ internal_port }} ssl;
    listen              [::]:{{ internal_port }} ssl;
    ssl_certificate     /etc/nginx/ssl/nginx_internal.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx_internal.key;
    ssl_protocols       TLSv1.3;
    # from:  https://ssl-config.mozilla.org/#server=nginx
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

{% if spec.enable_health_check_endpoint %}
    location /health {
         return 200 'OK';
         add_header Content-Type text/plain;
    }
{% endif %}
{% if dashboard_endpoints %}
    location /internal/dashboard {
        rewrite ^/internal/dashboard/(.*) /$1 break;
        proxy_pass {{ dashboard_scheme }}://dashboard_servers;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }
{% endif %}

{% if grafana_endpoints %}
    location /internal/grafana {
        rewrite ^/internal/grafana/(.*) /$1 break;
        proxy_pass {{ grafana_scheme }}://grafana_servers;
    }
{% endif %}

{% if prometheus_endpoints %}
    location /internal/prometheus {
        rewrite ^/internal/prometheus/(.*) /prometheus/$1 break;
        proxy_pass {{ prometheus_scheme }}://prometheus_servers;

        proxy_ssl_certificate /etc/nginx/ssl/nginx_internal.crt;
        proxy_ssl_certificate_key /etc/nginx/ssl/nginx_internal.key;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
    }
{% endif %}

{% if alertmanager_endpoints %}
    location /internal/alertmanager {
        rewrite ^/internal/alertmanager/(.*) /alertmanager/$1 break;
        proxy_pass {{ alertmanager_scheme }}://alertmanager_servers;

        proxy_ssl_certificate /etc/nginx/ssl/nginx_internal.crt;
        proxy_ssl_certificate_key /etc/nginx/ssl/nginx_internal.key;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
    }
{% endif %}
}
